Thought you were done after Tuesday's 115-fix day? Not yet: Microsoft emits SMBv3 worm-cure crisis patch

Anyone able to reach a vulnerable machine can get system-level access, no login needed


Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol.

On Thursday morning, Redmond emitted the update to Server Message Block 3.1.1 to kill off a critical flaw word of which leaked out inadvertently this week.

Designated CVE-2020-0796, the bug can be exploited by an unauthenticated attacker to execute malicious code, at administrator level, on an un-patched system simply by sending the targeted system specially crafted compressed data packets. A hacker thus just needs to reach a vulnerable machine on the internet or network to fully compromise it.

Systems running 32 and 64-bit Windows 10 v1903, Windows 10 v1909, Windows Server v1903 (Server Core), and Windows Server v1909 (Server Core) – and just those versions – need to get patched right now. This flaw is wormable, in that once a box has been hijacked, it can automatically seek out more victims to infect and spread across organizations and the globe.

"While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority," Microsoft said of the update.

Windows 10 by Anton Watman, image via Shutterstock

Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – including an awful SMBv3 security hole to worry about

READ MORE

The SMB bug fix was a late addition to Microsoft's March edition of Patch Tuesday – after the security hole was accidentally disclosed by the Cisco Talos research team in a blog post recapping this month's updates: Cisco thought Microsoft had fixed the bug this week as part of March's Patch Tuesday, and alerted the world to the bug's presence to get people to install their updates. In reality, Microsoft hoped to patch the hole later this year, no patch was available, and now everyone knew there was a hole in the compression part of the SMBv3 code.

The revelation sent Microsoft scrambling to post a fix for the flaw, dubbed SMBGhost, just hours after it had emitted updates for 115 other CVE-listed security vulnerabilities.

Designed to allow shared access to files, printers, and hardware ports, SMBv3 is a network protocol included in desktop and server editions of Windows.

"If you are running Windows 10, versions 1903/1909 or Windows Server, version 1903/1909 and have automatic updates enabled, you are automatically protected and do not need to take any further action," Microsoft said. "If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows." ®


Biting the hand that feeds IT © 1998–2020